ICO Published Tech Horizons Report
The Information Commissioner's Office ("ICO") released the Tech Horizons Report (“Report”), which addresses the most significant technological developments for privacy in the next two to five years, as well as the current range of risks that may harm people's privacy and trust in these technologies. The Report focuses on applied technologies that have more certain implications for privacy in the near future. In the Report the following four technologies: consumer healthtech, next-generation Internet of Things (IoT), immersive technology, and decentralized finance are discussed in detail.
Consumer healthtech can improve wellbeing by tracking health metrics and promoting healthy habits, but increased data processing must be considered in this regard. Automated therapy and wearable technologies are given as examples in the Report. According to the Report, main data protection and privacy issues in developing consumer healthtech technology are as follows;
- Some consumer healthtech devices will generate special category data, requiring additional safeguards and create risk of unproper processing,
- Action is needed to ensure that users have meaningful transparency and control of processing of their personal information,
- Some consumer healthtech devices present issues in terms of accuracy and bias,
- Poor data management
To eliminate these issues, organizations must develop healthtech in a privacy-positive way. They should provide clear privacy notices, be transparent about processing special category data, and ensure that algorithmic processing and AI use are accurate, fair, and checked for systemic bias.
Next Generation IOT Devices
Internet of Things (“IoT”) is an evolving technology. IoT devices have potential to reduce carbon footprints, assist vulnerable people, and improve productivity. However, developers and regulators must address data protection compliance issues following that:
- Widespread use of next generation IoT devices may increase cybersecurity risks
- Action is needed to provide people with meaningful transparency and control of their personal information
- Concerns exist about excessive collection or repurposing of personal information
Organisations should consider to take additional steps in order to implement privacy-positive innovation by enhancing IoT device security. Some security principles are outlined in the upcoming Product Security and Telecommunications Infrastructure Bill. Also, taking into account the European Telecommunications Standards Institute’s IoT security standard, ensuring high standards of privacy by default, exploring approaches to transparency and data minimization in smart spaces, being aware of the unique privacy and security challenges of edge computing, and exploring the potential of privacy enhancing techniques in the context of connected devices are of importance in checking the privacy risks of IoT devices.
As declared in the Report ICO intends to develop a guidance on the aspects, continue the support on the default security standards, continue the engagement with stakeholders in the property sector on their privacy readiness for future IoT deployments.
The Report focuses on the immersive technology nearer term and more common applications of augmented reality (“AR”) and virtual reality (“VR”). As VR and AR gain popularity, including listed below issues privacy concerns will arise due to the collection and processing of potentially sensitive data.
- Many immersive technologies will collect information about sensitive human characteristics, requiring additional safeguards,
- Immersive technologies collect large volumes of personal information, prompting questions about data minimization,
- Consideration needs to be given to how to provide transparency for the designated user,
- Concerns exist about lack of transparency for third parties whose personal information may be collected.
Especially in immersive technologies embedding privacy by design is critical to safeguarding people's privacy rights. Businesses developing these technologies should explore technical and policy solutions to manage privacy risks and maximize opportunities. AR and VR devices will process personal information of users and non-users alike, exacerbating privacy risks if not designed and implemented in a privacy-positive manner.
It is of great importance to embed privacy by design in infrastructure, also, policies and standards early on will be critical to ensure people’s rights to privacy are safeguarded in the next generation of immersive internet.
The growing popularity of decentralized finance (“DeFi”) and the qualities of distributed ledger technology (“DLT”) that enable transparent, permissionless and permanent processing beyond centralised control structures also present clear challenges listed below for privacy and compliance with data protection law.
- Organisations may use DeFi systems for a diverse range of transactions. Since anyone with access can inspect the chain and transactions, it is relatively simple for a bot or script to harvest information about transactions etc.
- Blockchain transtactions may not involve disclosing certain categories of personal information that does not eliminate the possibility that people could be identified. This is because information recorded as part of blockchain transactions may be pseudonymised rather than strictly anonymous. The risk of re-identification increases with the volume of information stored on the blockchain.
- The decentralised nature of networks in the crypto-asset industry raises questions about who may be the data controller as well as storage limitation, rectification and erasure obligations may present particular challenges in current popular applications of the technology. People may struggle to exercise their rights because of the identify who the accountable party for data processing.
Fortunately, organizations are developing privacy-positive capabilities, such as privacy mixers and zero-knowledge proofs, to address these concerns. However, these solutions may also reduce the usefulness of the service, so organizations must find a balance between privacy protection and utility.
Currently, DeFi might hold a tiny share of total financial services markets. However, the potential for growth and the novel architecture underpinning DeFi services may create important effects in people’s privacy, as well as ownership and control of personal information in the near future.
In decentralized technologies obligations relating to data protection by design and default require organisations to implement privacy standards and information rights in the systems and services they develop.
The Report provided us with detailed information and aspects on which new technologies will be inspected as well as insight on the privacy expectations regarding applied technologies.
ICO declares in the Report that following the publication of the report into biometric futures in October 2022, second emerging technology deepdive on neurotechnology in the first half of 2023 will also be published.